1.7 Intended Use of the Watchdog
A WDT is meant to save the day if the system has an unforeseen failure that is not handled in firmware or hardware, or if an external disturbance causes the system to fail. A well-used WDT would be able to generate a system Reset, which the end-user will barely notice. Seeing this in contrast to a product that needs power cycling every now and then to return to an operational state, the difference should be apparent: Whether the end-user is satisfied with the product or not.
In general it is recommended to issue a WDT Reset from somewhere in the main loop of the firmware. Do not Reset the WDT in interrupt service routines, unless the interrupt routine checks a series of flags that confirms correct execution of various parts of the firmware. If these simple rules are followed, the WDT is hard to misuse.
The WDT Window mode is a bit more challenging to use than the Normal mode, as it involves more strict control of the WDT Reset timing. In window mode the WDT should be Reset from somewhere within the main loop, never in interrupt service routines, as this would impair the closed window protection. Because the closed window defines the minimum expected duration of the main loop (or subsections of the main loop), it can be used to catch cases where parts of the main loop code is not executed, or cases where early exit from function calls occurs. For example, when an algorithm or other software failure causes an operation to finish too quickly, like the expected duration of writing a value to the EEPROM is 4ms. However, if it completes in a few microseconds (inspection of a flag failed?), a subsequent WDT Reset would arrive too early. Another example is corruption of the return stack or stack pointer itself, causing abnormal program execution.
Another case where the Window mode offers good protection is if the code execution is stuck in a loop where the WDR instruction is executed repeatedly. If the WDT Reset occurs more frequently than anticipated, the WDT will assume that a failure has occurred and Reset the system to bring it back to an operational state.